Title: Add Common Platform Enumerator information to package meta information
DEP: ?
State: Pre-DRAFT
Date: 2012-04-13
Drivers: Petter Reinholdtsen <pere@hungry.com>
URL: http://wiki.debian.org/CPEtagPackagesDep
Abstract:
This document propose to make it easier to map between Debian packages
and known security holes by tagging each package with Common Platform
Enumerator strings, allowing us to look up our packages in the NVD CVE
database of security issues. This will make it easier for enterprise system
administrators to figure out which security problems affect their computers,
and make it easier for the Debian security team to figure out which Debian
packages are affected by a given security problem.

Introduction and Motivation

The National Vulnerability Database (NVD) provide a information about Common Vulnerabilities and Exposures (CVE) entries, including the severity of the problem and what software is affected. The list of software packages affected uses the Common Platform Enumerator values to identify individual software packages and versions.

By mapping Debian packages to CPE values, it is possible to figure out which packages are affected by which CVEs, and also to discover if the security tracker in Debian have holes in its coverage. This mapping can be done manually, but the it would be easier for both system administrators and the Debian security team if each package maintainer would keep track of their packages CPE value.

A prototype doing such mapping is implemented in the secure-testing SVN repository, svn://svn.debian.org/svn/secure-testing . These are the files involved:

bin/compare-nvd-cve

data/CPE/list

data/CPE/aliases

Proposal

Add a new user defined header to the source section of the control file, listing the CPE value in URI form for a given package. The CPE value should be passed on to the binary and source package information in the APT sources. See deb-src-control(5) for info on user defined headers. Some packages have several CPE values, for historical reasons, and for these all of them should be listed, separated by comma.

It would look something like this in the perl package:

XBS-Upstream-CPE: cpe:/a:perl:perl, cpe:/a:larry_wall:perl

History

2012-04-13 First skeleton draft. 2012-06-27 Updated with a few links and more concrete proposal.